Protected Port on Cisco Catalyst Switch

Hello Rene/ Laz,
I have a question and I am going to use the below topology as a reference for the question.

As you see in the diagram, all the PCs are in VLAN 10. The access switch is hosting other VLANs as well. All the SVIs are located in the Distribution switch as you see in the diagram. The link between access switch and the distribution switch is a Trunk link to carry multiple VLANs.
Now my requirement is to block access for PC3 and PC4 so they can not go out of local network. If PC3 and PC4 can not talk to each other, that is ok. They are only allowed to talk to the devices in the local network(VLAN 10). I am thinking to configure PC3, PC4 and the Trunk port on the access switch as Protected port. I am not quite sure how protected port works on a trunk port. I am expecting that PC3 and PC4 will not able to get to the gateway and therefore, they will not be able to go out of the local network. I am also expecting all other devices to have normal functionality. Please clarify this.

Thank you in advance.

Azm